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Abstract 

Modern commercial aircraft have extensive automation 
which helps the pilot by performing computations, ob- 
taining data, and completing procedural tasks. The 
pTlot display must contain ’enough information so that 
the pilot can correctly predict the aircraft’s behavior, 
while not overloading the pilot with unnecessary in- 
formation. Human-automation interaction is currently 
evaluated through extensive simulation. In this pa- 
per, using both hybrid and discrete-event system tech- 
niques, we show how one could mathematically verify 
that an interface contains enough information for the 
pilot to safely and unambiguously complete a desired 
maneuver. We first develop a nonlinear, hybrid model 
for the longitudinal dynamics of a large civil jet air- 
craft in an autoland/go-around maneuver. We find the 
largest controlled subset of the aircraft’s flight envelope 
for which we can guarantee both safe landing and safe 
go-around. We abstract a discrete procedural model 
using this result, and verify a discrete formulation of 
the pilot display against it. An interface which fails 
this verification could result in nondeterministic or un- 
predictable behavior from the pilot’s point of view. 


1 Introduction 

One of the key enabling technologies for increased au- 
tomation in human-machine systems is verification , 
which allows for heightened confidence that the sys- 
tem will perform as desired. To verify system safety , 
the safety specification is first represented as a desired 
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subset of the state space in which the system should 
remain. The process of verifying safety then involves 
computing the subset of the state space which is back- 
wards reachable from this “safe set” of states; if this 
backwards reachable set intersects any states outside 
the desired regionyThenThe system is deemed unsafe. 
We can restrict system behavior by pruning away sys- 
tem trajectories which lead to unsafe states, to synthe- 
size a controller which, if enforced, guarantees safety. 

In the past several years, a method [1] and a numerical 
tool [2, 3] have been developed for verifying the safety 
of hybrid systems. Previous work, for example [4], has 
focused on applications of hybrid system theory to fully 
automated systems, assuming that the controller itself 
is an automaton. Here we consider the problem of con- 
troling semi- automated systems, in which the automa- 
ton and a human controller share authority over the 
control of the system [5]. In particular, we consider 
the problem of verification of an interface between a 
sem -automated hybrid system and a human controller, 
and we pose the question: Is the information displayed 
to the human controller about the hybrid system evolu- 
tion sufficient for the human controller to act in such 
a way that the system remains safe? We consider this 
problem within the framework of an example: the au- 
tomatic landing system (autoland) of a large civil jet 
airliner. 

The autoland system of modern aircraft is one of the 
most safety-critical components, and is subject to strin- 
gent certification criteria [6]. Modeling the aircraft's 
behavior, which incorporates logic from the autopilot 
as well as inherently complicated aircraft dynamics, re- 
sults in a high- dimensional hybrid system with many 
cont.nuous and discrete states. Most of the informa- 
tion is abstracted away, so that only a subset of this 
information is displayed to the pilot. Here, we are in- 
terested in verifying that the cockpit interface provides 
the pilot with enough information so that the pilot can 
safely land or safely go-around. 
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Table 1: Aerodynamic constants for autoiand modes in- 
dexed by x = /i(x, u ) . 



Figure 2: Hybrid procedural automaton ^procedure- 

The initial state of our procedural model H procedure 
(Figure 2) is Flare, with flaps at Flaps-30 and thrust 
fixed at idle. As instructed, when a pilot initiates a go- 
around maneuver (often called a “TOGA” due to the 
“Take- Off/Go- Around” indicator on the pilot controls 
and display) , the pilot changes the flaps to Flaps-20 and 
the autothrottle forces the thrust to T max (Toga-Max). 
When the aircraft obtains a positive rate of climb, the 
pilot raises the landing gear, and the autothrottle al- 
lows T € [0,T max ] (Toga-Up). The aircraft continues 
to climb to the missed approach altitude /i a]t , then 
switches into an altitude-holding mode, Altitude (with 
the landing gear down). If a go- around does not occur, 
the aircraft switches to Rollout when it lands. (We do 
not model the aircraft’s behavior after touchdown.) 

Although go-arounds are unpredictable and may be re- 
quired at any time during the autoland prior to touch- 
down, otoga is a controlled transition because the pi- 
lot must initiate the go-around for it to occur. Cer- 
tain events occur simultaneously: changing the flaps 
to Flaps-30 and event c^oga, raising the landing gear 
and h > 0, and lowering the landing gear and h > ft aIt . 

2.3 State and Input Bounds 
Each mode in the procedural automaton is subject to 
state and input bounds, due to constraints arising from 
aircraft aerodynamics and desired aircraft behavior. 
These bounds, shown in Table 2, form the boundary 
of the flight envelope Wo- Bounds on V and a are de- 
termined by stall speeds and structural limitations for 
each flap setting [22]. Bounds on 7 and T are deter- 


Mode 

V [m/s] 

7 [degrees] 

a [degrees! 

Flare 

[55.57, 87.46] 

[— 6.0°,0.0°] 

[-9°, 15°] 

Toga-Max 

[63.79, 97.74] 

[-6.0° ,0.0°] 

[—8°, 12°] 

Toga-Up 

[63.79, 97.74] 

[0.0°, 13.3°] 

[-8°, 12°] 

Altitude 

[63.79, 97.74] 

[—0.7°, 0.7°] 

[-8° ,12°] 


Table 2: State bounds for autoland modes of ^procedure- 


mined by the desired maneuver [23]. Additionally, at 
touchdown, 6 G [0°, 12.9°] to prevent a tail strike, and 
h > -1.829 m/s to prevent damage to the landing gear. 


3 Safety Analysis 

The state bounds just described define flight envelopes 
for each of the discrete modes. These envelopes are 
not. necessarily controlled invariant . Thus, we need to 
determine what subsets of these envelopes are actu- 
ally controllable given the input authority available to 
the autopilot. Because the nonlinear dynamics of our 
model (1) make analytic determination of the control- 
lable subsets impossible, we employ a previously de- 
veloped computational algorithm for finding controlled 
invariant sets for this problem [3]. 

3.1 Computing Reachable Sets 

For each discrete mode of the autoland system, we de- 
fine the target set as the region outside the flight en- 
velope Wo, denoted (Wo) c for the complement of Wo- 
Given some dynamically evolving system and some tar- 
get set, we define the backward reachable set W c (£) as 
the set of all system states which reach the target set 
in time t. The autopilot inputs a and T try to drive 
the state away from the target set, to keep the aircraft 
within Wo. 

Computing the reachable set in a discrete system with 
a finite number of states — and hence a finite number 
of possible transitions — is a straightforward but possi- 
bly time consuming task of enumerating all the states 
which have a path to the target set. Computing reach- 
able sets for a continuous system is a much more dif- 
ficult undertaking; for example, how should the uii- 
countably many states in any nontrivial target set be 
represented? 

An algorithm has been developed for computing the 
reachable sets of continuous nonlinear systems, based 
on a time dependent Hamilton-Jacobi (HJ) partial dif- 
ferential equation (PDE) [2, 3]. For x = /(: r, u), x € X, 
input u (zU tries to keep the system from reaching the 
target set. Define a continuous function Jq : X — > K 
such that (Wo) c = {iG X) Jo(x) < 0}. As shown in [2], 
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Figure 5: The solid shape is the safe region Wf n Wr, 
from which safe landing and safe go-around is 
possible. The meshes depict Wf and Wt- 



Figure 6: (^interface for autoland/go- around maneuver. 
Event <j\ occurs when h = 0 , <73 when h > 


highly automated aircraft, including the option not to 
enforce a recommended switch. 

The pilot activates various knobs, buttons, and toggles 
to change the system’s mode. Interaction between the 
pilot’s actions and the system’s modes are encapsulated 
by a finite- state machine representation of the inter- 
face ^interface = ( Q interfaces ^interfaces ^interface) ■ Modes 

^interface are determined by the indications on the dis- 
play; events ^interface are determined by internal tran- 
sitions in the system, or by the pilot’s actions. The 
transition function is interface- The interface for an 
autoland/go-around is shown in Figure 6. 

To compare the interface against the procedural 
model, we implement the controller for safety u m (x) in 
^procedure and create a discrete abstraction G£ rocedure 
based on the resultant closed-loop hybrid system. We 
partition the state-space in each mode into the interior, 
boundary, and complement of the safe flight envelope in 
that particular mode. Across the user-controlled switch 
^TOGA , we partition the state space according to the in- 
tersection of Wf in Flare and Wt in Toga-Up, resulting 
in nine regions in each mode. Across all other switches 
in Hp and Ht> we enforce safety by implementing u*(x) 
so that trajectories which begin inside or on the bound- 


ary' of the safe flight envelope in one mode will remain 
within or on the boundary of the safe flight envelope 
in all other modes in that hybrid subsystem. Only 
across user-controlled switches can the system become 
unsafe, because we can make no guarantees about the 
user’s actions, Gp roce dure has modes ^procedure > events 
procedure’ aild transition Unction dp rocedur e* 

We verify the correspondence between ^interface and 
procedure according to the verification methodology in 
[7j We associate each mode in ^interface and Qp rocedure 
to a certain specification class [7]. Specification classes 
are a way of indicating a type of behavior or quality 
of the system - for example, modes which the system 
should avoid belong to a specification class Unsafe. 

The interface and the abstracted procedural model are 
related through their events: events in £p rocedure niap 
to events in E interface- We define the map through 
S p:-ocedure S int erface ; by examining the events in 

each set and creating a correspondence between them 
by hand [7]. Events in £* rocedure which do not have a 
corresponding transition in Interface ma P t° the empty 
event £ [7], 

The- two systems are verified through the creation of 
a composition, defined by the map 1 r. The composi- 
tion ^composition allows us to keep track of the modes 
ant. events in both systems (G \ nterface and G p roced 

ure) 

at the same time. The process of creating the composi- 
tion uncovers possible problems: error states, blocking 
states, and augmented states [7], 

The composition begins with each initial state in each 
syst em for a given specification class, and is repeated 
for each pair of initial states. If each event a in 
^procedure suc b ^at p p f has a corresponding event 

7 r(a) in ^interface such that q q' t then the composite 

state (p. q) ( p ' , q f ) exists. If p and q have the same 

specification class, and p f and q f have the same speci- 
fication class, then the composition continues through- 
out the model. An error state exists when p’ and q f 
have different specification classes [7] . 

Other problems occur when the composition fails. If 
for 1 transition a 6 ^procedure from p p f there is 

no corresponding transition q * q\ then the compo- 
siticn has reached a blocking state [7]. (The interface 
blocks a transition which occurs in the abstracted pro- 
cedural model.) Alternatively, if there is a transition 

7T(a/ € ^interface from q — ^ q' but no corresponding 
transition a € £* rocedure from p p’ , then the com- 

position has reached an augmented state [7]. (The in- 
terface indicates a transition which is not possible in 
the abstracted procedural model.) 
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